PAT through PPOE

boudja · September 2, 2010, 11:06pm

HI
I have got a new mikrotik 450g router,managed to set up internet connection and nat but I am unable to forward ssh request from the internet to my internal server with a local Ip address.

Below are my firewal filters

0 ;;; Added by webbox
chain=input action=accept protocol=icmp

1 ;;; Added by webbox
chain=input action=accept connection-state=established
in-interface=Public

2 ;;; Added by webbox
chain=input action=accept connection-state=related in-interface=Public

3 ;;; Added by webbox
chain=input action=drop in-interface=Public

NAT Chains:

0 chain=srcnat action=masquerade src-address=192.168.0.0/24
dst-address=0.0.0.0/0 out-interface=pppoe-out

1 chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=22
protocol=tcp src-address=0.0.0.0/0 dst-address=196.200.57.200
in-interface=pppoe-out src-port=0-65535 dst-port=22

2 chain=srcnat action=src-nat to-addresses=196.200.57.200 to-ports=22
protocol=tcp src-address=192.168.0.1 dst-address=0.0.0.0
out-interface=pppoe-out src-port=22 dst-port=0-65535

Any help is most welcome.

fewi · September 3, 2010, 1:24pm

The second srcnat rule is unnecessary (and would never be evaluated).

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.0.1 protocol=tcp in-interface=pppoe-out dst-port=22

should work unless 192.168.0.1 isn’t the IP of the internal server.

boudja · September 4, 2010, 4:03pm

Hi fewi,Thanks for your reply . I copied and pasted your config lines but the problem is still the same.
I had also disabled IP–>Services ssh on the router itself but still no answer.My internal server IP address is indeed :192.168.0.1
Could it possible that the router might be faulty? or is there any filter I must add to the firewall filter.?
Thanx .

fewi · September 4, 2010, 7:00pm

If you posted all your firewall rules above before then there’s nothing blocking the traffic. There is no need to rewrite service ports on the router - destination NAT happens very early and the source IP would no longer be a router IP, and it wouldn’t take the traffic itself.

Does the inside machine have a route back through the router? Have you tried sniffing traffic there to see if it makes it?

Post the output of “/ip address print” and “/ip route print”.

boudja · September 4, 2010, 9:08pm

Hi fewi,
Thanks for your replies ;here are my

Addresses

lags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; default configuration
192.168.0.250/24 192.168.0.0 192.168.0.255 local
1 D 196.200.57.200/32 196.200.57.180 0.0.0.0 pppoe-out

route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 ADS 0.0.0.0/0 reachable 196.200.57.180 1 pppoe-out
1 ADC 192.168.0.0/24 192.168.0.250 0 bridge
2 ADC 196.200.57.180/32 196.200.57.200 0 pppoe-out

How do I sniff trafic to see the packets? How to make useful usage of the data sniffed?
Sorry for all these questions I am very new to mikrotik and routing.
Thanks in Advance.

fewi · September 4, 2010, 10:09pm

If you’ve posted all your firewall filter rules in the first post (there aren’t any in the forward chain showing) then the router is set up correctly, and you either have a problem on the host you’re try ing to forward traffic to or your ISP is blocking the traffic before it even gets to your router.

I’d start by sniffing traffic on the host. How you do that depends on the OS etc. - see if wireshark works on it, maybe. That is a fairly popular traffic analyzer.

boudja · September 5, 2010, 10:52am

Hi Fewi ,
I tried to monitor the connections section of the mikrotik when trying to ssh or telnet to my internal server :
I am sending you all my firewall config and connections prints

#####Firewall Filters Rules######

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept connection-state=new

1 ;;; Allow Established connections
chain=input action=accept connection-state=established

2 chain=input action=accept connection-state=related

3 ;;; Allow ICMP
chain=input action=accept protocol=icmp

4 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid

####Firewall Nat Rule#######

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.0.0/24
dst-address=0.0.0.0/0 out-interface=pppoe-out

1 chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=23
protocol=tcp in-interface=pppoe-out dst-port=23

2 chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=22
protocol=tcp in-interface=pppoe-out dst-port=22

#####Connections Monitoring#####

admin@MikroTik] /ip firewall connection> print
Flags: S - seen reply, A - assured

PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 SA tcp 41.203.196.233:49807 196.200.57.200:8291 established 8m19s
1 tcp 41.203.196.233:53014 196.200.57.200:23 syn-sent 3s

[admin@MikroTik] /ip firewall connection> print
Flags: S - seen reply, A - assured

PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 SA tcp 41.203.196.233:49807 196.200.57.200:8291 established 8m26s

[admin@MikroTik] /ip firewall connection> print
Flags: S - seen reply, A - assured

PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 SA tcp 41.203.196.233:49807 196.200.57.200:8291 established 8m44s
1 udp 192.168.0.250:5678 255.255.255.255:5678 7s ### I dont understand this line###

####Here are the connection infos in the connection dialogue box###

Src Address :41.203.196.233 :52523
Dst Address :196.200.57.200 :22
Reply Src Address :192.168.0.1:22
Reply Dst Address: 41.203.196.233 :52523
Protocole=6 (tcp)
Connection Type:
Connection Mask:
P2P:
Time Out:00:00:30
Tcp State :syn sent

At the bottom right of the connection dialogue box it is written “unreplied”

Thanxs for your help

boudja · September 5, 2010, 7:58pm

Hi fewi,
I found the solution!!,My internal server had a different ip gateway (192.168.0.62)which is the local interface of my second ADSL router I have on my network.
And the local interface of my mikrotik router IP is 192.168.0.250 and that lead to the packets( coming through 192.168.0.62) being droped by the mikrotik router which sees them to be invalid(I guess).I just changed the server gateway to be that of the mikrotik local interface address (192.168.0.250)and it worked. Thanx a lot for your posts that helped me figure out the solution.appreicate that.
Thanks.